Posted
by
timothy
on Wednesday July 15, 2009 @04:06PM
from the what's-the-grace-period-again dept.

Hmmm2000 writes "Recently several Visa card holders were, um, overcharged for certain purchases, to the tune of $23,148,855,308,184,500.00 on a single charge. The company says it was due to a programming error, and that the problem has been corrected. What is interesting is that the amount charged actually reveals the type of programming error that caused the problem. 23,148,855,308,184,500.00 * 100 (I'm guessing this is how the number is actually stored) is 2314885530818450000. Convert 2314885530818450000 to hexadecimal, and you end up with 20 20 20 20 20 20 12 50. Most C/C++ programmers see the error now ... hex 20 is a space. So spaces were stuffed into a field where binary zero should have been."

Just hyper-inflate the dollar enough and you could spend 23 quadrillion on a bag of chips. Just look at Zimbabwe ( http://en.wikipedia.org/wiki/Hyperinflation_in_Zimbabwe [wikipedia.org] ) from the article "On January 16, 2009, Zimbabwe announced plans for imminent issue of banknotes of $10 trillion, $20 trillion, $50 trillion, and $100 trillion". So actually, its possible that the dollar could somehow inflate that high so 23 quadrillion isn't that much.

Yeah, of course what happened after that was people started having to resort to bartering for goods using small amounts of Gold, Kinda like what they did TWO-Thousand years ago. So you take an economy and you screw it up so badly that you have to reset it back to the pre-roman levels of commerce..And people laugh at other people for collecting and buying gold.

If there is no perceived value for gold (think: a post-apocalyptic world where people are just fighting to stay alive, not save up for later), cigarettes or clean food and water may be worth more.

Cigarettes and clean food and water are too easily consumed to make a good exchange technology (in any case, food and clean water are the commodities one would most likely want to exchange). Assuming central authority breaks down in this post-apocalyptic society there will be a radical need for a universally rec

People don't use gold for it's intrinsic value as a metal. It's used because sometimes you can't buy a herd of goats with a thousand cans of Dinty Moore stew. Gold is small, convenient, historical, and rare, so it makes a pretty good medium of exchange.

Historically paper money only had value because it was backed by gold, or some other known commodity. Now it's backed by faith. How's that working out for everybody?

Gold also only has value because people believe it does - as the GP post said, you can't eat it, you can't really build a shelter out of it, etc.

In any event, why should the money supply be tied to a rare, precious metal? Matching the growth (or shrinkage!) of the money supply based solely on the discovery, loss, or recovery of a particular natural resource hardly seems like a good plan for managing the economy.

Gold is small, convenient, historical, and rare, so it makes a pretty good medium of exchange.

This is what people don't get. When you are transferring large amounts of wealth around there are very few other options. I've heard of using oil as a medium... but transferring the equivalent amount of wealth in oil would require fleets of tankers. There is nothing special about gold except that it is common enough to be common but rare enough to be rare. We could use platinum but that is too rare, or copper, which isn't quite rare enough. Silver is actually a decent alternative and what many economies used prior to settling on gold.

No, when you're starving, gold isn't worth much. But when you're just past the starving point and trying to create a base economy, crating around a wheelbarrow full of canned goods is inconvenient and makes you a target.

The difference is that the supply of gold fluctuates unpredictably based on natural deposits, industrial use, and the activity of mining companies, while the supply of dollars fluctuates deliberately according to the monetary policy imposed by the central bank. Generally we're better off when the supply is controlled by people who know what they're doing rather than random fluctuations -- if you think business cycles are bad now, take a look at how they worked before the Federal Reserve -- although the outcome can be catastrophic when it's controlled by people who have no clue (i.e. Zimbabwe).

So you're saying the people who didn't see the current crisis coming, assured us it was contained, and then told us we barely avoided catastrophe know what they're doing and are the perfect stewards for our monetary system?

So you're saying the people who didn't see the current crisis coming, assured us it was contained, and then told us we barely avoided catastrophe know what they're doing and are the perfect stewards for our monetary system?

Not perfect stewards, no. But they're still better stewards than mining companies and gold-consuming industries. The alternative is for the value of our currency be affected by what sort of rocks were uncovered recently or how many edge connectors and necklaces are being manufactured; do you really think that would be an improvement?

The Federal Reserve was founded in 1913. The Great Depression started 16 years later.

Surely you aren't trying to imply causality there, are you? Because recessions have gotten shorter and less frequent [seekingalpha.com] since 1900.

The intrinsic value of gold is that it is rare enough to hold large quantities of wealth and cannot be manufactured arbitrarily. The second reason is why every fiat currency has historically failed

Meanwhile, you're transferring the gold certificates around, complete with fees for every transaction (straight to the vault owner, naturally) and he still has an impervious vault full of gold. If society breaks down--which gold buyers seem to expect--you really think he'll honor those scraps of paper? No, he'll be riding it out inside the vault.

I'm too paranoid to buy gold, I invested in seed corn. Too large to steal, too real to lose value.

If we really do suffer a complete and total failure of society to the point where the caretakers of the large stockpiles of gold can get away with claiming ownership of it then the gold will be worthless anyways and of no value anyways. Gold buying is there to help insure against recessions or the collapse of one or more economies/currencies.

BTW If society does collapse I'm coming to live with you and your pile of corn:)

On January 16, 2009, Zimbabwe announced plans for imminent issue of banknotes of $10 trillion, $20 trillion, $50 trillion, and $100 trillion

Believe it or not, that was after Zimbabwe had lopped off a bunch of zeros from their currency the previous year.... twice. And then they did it a third time [cnn.com] a month after they printed their first $100 trillion notes.

Believe it or not, that was after Zimbabwe had lopped off a bunch of zeros from their currency the previous year.... twice. And then they did it a third time a month after they printed their first $100 trillion notes.

I was going to say something similar:-

On July 30, 2008, the Governor of the RBZ, Gideon Gono announced that the Zimbabwe dollar would be redenominated by removing 10 zeroes, with effect from August 1, 2008. ZWD10billion will become 1 dollar after the redenomination.

Then

[*After* the above revaluing] On 12 January 2009, Zimbabwe introduced the $50,000,000,000 note.

So you can multiply $50 billion by $10 billion (per new dollar) to get what it would have been if they hadn't done that sleight of hand; $500 billion billion.

FRACK! At the very LEAST your programmers should have been told (or, if they asked, been allowed) to put QA bounding-box fields on the statements. If a monthly charge font size to be printed is longer than the width of the statement imaginary box, eject the statement from the enveloping system, then punt it to a manager.

That isn't even close to how the financial organizations function. There is simply zero drive to pre-empt problems as there is no major authority breathing down their necks and auditing every single iteration of their customer-facing software processes in great detail.

Moreover, the customers are individuals or small businesses, meaning there is practically nothing to fear in the form of loss of business due to dissatisfied customerbase or defamation. It's not like they have too many other choices.

Yeah, to make the jump from hexidecimal representation for a number to ascii is rather a long-shot.

Here's another:

Represented as 2-nibble-per-byte packed BCD (Binary Coded Decimal), this is the exact correct number of digits for a Visa card number. What you could well be looking at is a pre-initialized dummy card number overlayed with a price (stored in the last two bytes). If so, the expected value of the original default would be:

Actually it looks even simpler then that.
It looks like $2.31 was his amount and the rest was his CC number, since the 4885 is a typical Visa Check Card sequence issued by BofA.
I wonder if this guy was smart enough to look at his card number and verify that was not the case here, especially before putting it out to the press.

I am one of the victims of this programming error, and I can tell you that several thousand VISA debit transactions were miscoded with the same amount: $23,148,855,308,184,500.00.

I was not smart enough to look at my card number before I sent it off to Consumerist [consumerist.com] so that VISA could be made fun of. Happily, the string does not contain my (or apparently anybody's) credit (or debit) card number.

So they weren't getting multiply charged by a site that claimed to only charge once, and only if you cancelled after the trial period, even though you can cancelled before the end of the trial period. Just spaces huh, who would have though?

Yes I am ashamed I signed up innocently, now realising torrents are far safer.

My thoughts exactly. Why is it that when I try and legitimately spend a largish amount (anything into 4 figures basically), the credit card company immediately phones me to check on it, and if I try to spend above my credit limit, they can block the purchase, but things like this are not caught?

Something similar happened to my brother once - a $10 fee for a replacement card somehow became $12 million, automatically debited from his bank account. It took 3 day

Is not so much the error(stupid; but, if corrected, not ultimately a giant deal); but the response of the cardholder to the error:

"The bank kept him on hold for two hours, during which time he contemplated the impossibly bleak financial future that might await him. He also felt a stab of fear that he had saddled all his unborn grandchildren -- and their grandchildren -- with a lifetime of debt. "Down the generational line, nobody would have any money."

For fuck's sake, people, the credit card guys haven't actually bought a law concerning hereditary debt slavery yet, and this guy thinks that it is already on the books?

Pathetic. This guy is grateful that Visa condescended to fix their obvious mistake(this isn't some he said/she said billing dispute, this is someone who allegedly spent more than the world GDP at a gas station)? What is this cringing bullshit? Either this guy is just a sad sack or, rather worse, the "customer service" we get, along with the kangaroo courts that are "mandatory binding arbitration" actually make thankfulness for not being screwed a reasonable response.

Not true. I have personally gotten the better end of the deal at least twice. But no one wants to stand up and say 'I bought a new stereo and was charged -$250 dollars!'. There have also been numerous published accounts of gas stations mistakenly charging hundreds of people $0.25/gal for gas (instead of $2.50).

"Do you owe $23 quadrillion or more on your credit cards? Well I'm about to tell you a secret that the credit card companies don't want you to know. You can settle your debt for pennies on the dollar and get out of debt fast!"

Will the IRS tax any party for this in any way tipped workers look out you may end up owning 15% of $23,148,855,308,184,500.00 of the bill even if this is a error yes the IRS is evil like that some times like that.

Will people get back billed / end up on a baned list as visa seems to be whipping out the full charge is the real charge lost now?

Will people get all there overdrafts taken off or just one even if they are not at error for all of them.

Probably more offensive is that a glitch happened at all, large or small. It could have just as easily been $2.31 in which case he may have not noticed the overcharge and paid it. Charge several thousand people $2.31 too much and you can make an alright profit.

Things like this happen where I work with our AT&T bills all the time. We're on the smaller end of businesses and have a little over 200 lines. At least a couple of times a year we find a number on our bill that isn't one of our numbers. We contact AT&T, they act baffled, and then they credit us for the error. It's so common that they barely even ask any questions when we dispute the charge. I have to imagine that there are numerous other businesses out there in the same situation, but they aren't going through their bills and are subsiquently paying for services they aren't even using. AT&T even has some BS verbage on their statements that says charges not disputed within 60 days can't be disputed. So they can ream someone for years, and then if the company finds out, they can only recoup the last 60 days worth of over charges.

You're probably being crammed [clarkhoward.com]
It sucks because the phone companies legally make money off of other people's fraud this way, so they have negative incentive to check the identity of the crammers.

I work in this industry. The only novelty here is that the error got into production, and was not caught and corrected before it went that far.

Submitters send files to processors which are supposed to be formatted according to specifications.

Note I wrote 'supposed to be'.

Some submitters do, from time to time, change their code, and sometimes they get it wrong. For instance padding a field with spaces instead of zeros. Woopsie...!

Seems that's what happened here. Sounds like a hex or dec field got padded with hex 20, and boom.

This is annoying, especially when the processor gets to help correct the overwhelming number of errors, and then tries to explain that it wasn't their fault. Plenty of blame to go around with this one.

And then explains why they don't both validate/sanitize input, and test for at least some reasonable maximum value in the transaction amount. A max amount of $10,000,000 would have fixed this. That and an obvious lapse in testing. This is what keeps my bosses awake sometimes, fearing they will end up on the front page of the fishwrap looking stupid 'cause their overworked minions screwed something up, or didn't check, or didn't test very well. I love one of the guys we have testing. He's insufferable, and he catches genuine show-stoppers on a regular basis. They can't pay him what he's been worth, literally $millions, just in avoiding downtime and re-working code that went too far down the wrong path.

Believe me, this is in some ways preferable to getting files with one byte wrong that doesn't show up for a month, or sending the wrong data format (hex instead of packed binary or EBCDIC, for instance) and crashing the process completely. Please, I know data should never IPL a system. Tell it to the architects, please. As if they don't know now, after the one crash...

If you knew what I know, you'd chuckle and share this story with some of your buddies in development and certification.

And pray a little.

At least it didn't overbill the cardholders by $.08/transaction. That would suck. This is easy by comparison. Just fix the report data. Piece of cake. Evening's worth of coding and slam it out in off-peak time. Hahahahaha!

Oh, and it wasn't as simple as padding with spaces. Space is hex 20. Zero is hex 30. They should have been been billed 30 quadrillion-something. More likely it was a bad conversion. Still reason to waterboard the testers.

You should try converting packed binary to some flavor of EBCDIC, not knowing in advance which particular version EBCDIC they meant.

I work in this industry. The only novelty here is that the error got into production, and was not caught and corrected before it went that far.

That explains why there are so many software testers currently looking for work. The CC industry doesn't use as many of them, anymore.

Some submitters do, from time to time, change their code, and sometimes they get it wrong. For instance padding a field with spaces instead of zeros. Woopsie...!

You're still using legacy zero padding? You should be doing things in XML.

Seems that's what happened here. Sounds like a hex or dec field got padded with hex 20, and boom.

Not quite. If it were padded with space characters, you get 0x20 in each byte (and that's just what this number had in the first 6 of 8 bytes). If it were padded with zero characters, you would get 34,723,282,962,276,803.04 or so.

The REAL problem here is that the code was interpreting 64 bits as int

'Our' submission files use combinations of fixed-length and variable-length fields. Fixed-length is easy, but variable-length is usually designated by a check byte that tells you what sort of data follows. Our submission file can overall be submitted as either fixed-length or variable length. Yes, the terms are mixed in the specification.

Holly: Busy, Dave?Lister: Well, yeah. I am, actually.Holly: Oh, then you won't want to know about the two super-lightspeed
fighters that are tracking us.Lister: What?!Holly: I'll leave you to your bubble blowing, mate.Lister: No, Hol, come on, come on.Holly: They're from Earth.Lister: Three million years away?Holly: They're from the NorWEB federation.Lister: What's that?Holly: The North Western Electricity Board. They want you, Dave.Lister: Me? Why? What for?Holly: For your crimes against humanity.Lister: You what!Holly: It seems when you left Earth three million years ago, you
left two half-eaten German sausages on a plate in your
kitchen.Lister: Did I?Holly: You know what happens to sausages left unattended for
three million years?Lister: Yeah. They go all mouldy.Holly: Your sausages, Dave, now cover seven-eighths of the Earth's
surface. Also you left seventeen pounds, fifty pence in a
bank account. Thanks to compound interest you now own
ninety-eight percent of all the world's wealth, but since
you've hoarded it for three million years nobody's got any
money except for you and NorWEB.Lister: Why NorWEB?Holly: You left a light on in the bathroom. I've got a final demand
here for one hundred and eighty billion pounds.Lister: A hundred and eighty billion pounds! You're kidding!Holly: (wearing Groucho Marx disguise) April fool.Lister: But it's not April.Holly: Yeah, I know, but I could hardly wait six months with a red-hot
jape like that under my belt.

What's really strange is they're using 64 bits to express a charge amount. How many people are charging manned missions to Mars or the military invasion of a superpower to their Visa? A 64 bit credit limit must be quite the status symbol.

Since our national debit has just hit 1 trillion dollars, we in the United States of American will be second to him in debit.I'm very surprised that credit card company, bank or anybody else didn't have any alarm bells (more air raid sirens in this case) when this went through. Also I thought there will be limit on anyone could charge, not only the credit card, bank or even this case, the nation could get.This shows there is something wrong with the financial system and that is the understatement of the century.

0x20 is "space" in ASCII. The ASCII table maps numerical values to (mostly) readable characters. Unicode is a buffed out table supporting international (and other) characters. The programmers forgot to strip the whitespace from their input.

Oh please... if the person on the phone knew anything about programming, they wouldn't be working the phones, they would be coding their apps like the guys who got promoted from answering the phones last week.